NIS2 Article 20 explicitly states that management bodies can be held personally liable for infringements of cybersecurity requirements in essential and important entities. Named directors can face personal fines and temporary bans from management roles.

DORA places board-level accountability for ICT third-party risk governance. Directors who approved inadequate third-party risk arrangements face personal liability.

SEC rules (US listed companies) require 4-day disclosure of material cyber incidents. The SEC charged the SolarWinds CISO personally — not the company — for misleading investors about cybersecurity practices.

UK Companies Act s174 requires directors to exercise reasonable care, skill, and diligence. A director who was briefed on a documented credential vulnerability and chose not to act has a documented failure to meet the standard of care.

D&O insurance explicitly excludes known risks that board members failed to mitigate. A board that received a credential risk briefing and deferred action has a documented known risk — coverage for a resulting breach may be partial or denied.